A new cyber attack uses a driver called ABYSSWORKER to disable security software. The driver is part of a financially motivated campaign to distribute MEDUSA ransomware.
Security researchers at the Search AI company Elastic discovered this. The malware can circumvent security systems by using a signed certificate. Criminals often use their drivers to sideline security systems. In the case of ABYSSWORKER, a revoked, certificate-signed driver from a Chinese supplier is used.
How ABYSSWORKER operates
ABYSSWORKER’s strength lies in its ability to deceive security systems. Because the driver has an official signature, many security systems consider it reliable, allowing it to pass through the system’s defense lines without verification.
Once installed on the victim’s system, ABYSSWORKER uses its privileges to attack and disable various EDR (Endpoint Detection and Response) providers. This creates an opening for the MEDUSA ransomware to enter the system undetected.
Not a new concept, but a new application
Although the method is not entirely new, the current application shows a worrying evolution. Mandiant first reported the ‘EDR killer’ driver in 2022 in another campaign. However, a different certificate and different IO control codes were used then.
According to Elastic telemetry, ABYSSWORKER has been deployed in targeted ransomware operations. The sophisticated nature of these attacks points to the involvement of well-organized and well-equipped threat actors. The malware’s modular structure, use of multiple layers of obfuscation, and focus on evading security mechanisms illustrate the increasing complexity of modern ransomware ecosystems.